When a vulnerability is disclosed in software you’re depending on, the last thing you want is for the remediation process to be confusing or ad-hoc. Towards the goal of a more secure and safe Python ecosystem, the Python Software Foundation has been authorized by the CVE Program as a CVE Numbering Authority (CNA).Being authorized as a CNA is one milestone in the Python Software Foundation’s strategy to improve the vulnerability response processes of critical projects in the Python ecosystem. The Python Software Foundation CNA scope covers Python and pip, two projects which are fundamental to the rest of Python ecosystem.
By becoming a CNA, the PSF will be providing the following benefits to in-scope projects:
Paid staffing for CNA operations rather than requiring volunteer time.
Quicker allocations of CVE IDs after a vulnerability is reported.
Involvement of each projects’ security response teams during the reporting of vulnerabilities.
Richer published advisories and CVE Records including descriptions, metadata, and remediation information.
Consistent disclosures and publishing locations.
CNA operations will be staffed primarily by the recently hired Security Developer-in-Residence Seth Michael Larson, Ee Durbin, and Chloe Gerhardson.The PSF wants to help other Open Source organizations and will be sharing lessons learned and developing guidance on becoming a CNA and day-to-day operations.To be alerted of newly published vulnerabilities in Python or pip, subscribe to the firstname.lastname@example.org mailing list for security advisories. There is also a new advisory database published to GitHub using the machine-readable Open Source Vulnerability (OSV) format.